MS Graph - team create API returns 403 Forbidden error without proper error message

Question

MS Graph - team create API returns 403 Forbidden error without proper error message

Wolken Software Ltd 0

I have a single-tenant Azure app and I have all the required permission for creating an MS team via the app, and The API was working fine with the multi-tenant App earlier, but the same code is not working for the single-tenant app registered user; Please let me know if I am missing anything here; I am using organization tenant uri in my authn and authz calls for the single tenant.

Error Response User's image

API Permissions:

User's image

Decoded user's token

User's image

Sayali-MSFT 4,351 Reputation points Microsoft External Staff Moderator

2023-07-31T07:48:12.1133333+00:00

@Wolken Software Ltd - Thanks for reporting your issue.

We will check this at our end and will get back to you.

2 answers

Your answer

Sayali-MSFT 4,351 Reputation points Microsoft External Staff Moderator

2023-07-31T07:48:12.1133333+00:00

@Wolken Software Ltd - Thanks for reporting your issue.

We will check this at our end and will get back to you.

Answer 1

Sayali-MSFT 4,351 Microsoft External Staff Moderator

@Wolken Software Ltd - When issuing a request with application permissions, a user must be specified in the members collection.

POST https://graph.microsoft.com/v1.0/teams
Content-Type: application/json

{
   "******@odata.bind":"https://graph.microsoft.com/v1.0/teamsTemplates('standard')",
   "displayName":"My Sample Team",
   "description":"My Sample Team’s Description",
   "members":[
      {
         "@odata.type":"#microsoft.graph.aadUserConversationMember",
         "roles":[
            "owner"
         ],
         "******@odata.bind":"https://graph.microsoft.com/v1.0/users('0040b377-61d8-43db-94f5-81374122dc7e')"
      }
   ]
}

User's image

If you are using the unattended client credentials flow to obtain an access token, then you must specify the user in the member collection.

Wolken Software Ltd 0 Reputation points

2023-07-31T13:35:11.2366667+00:00

Hi Sayali,

I am using on-behalf of flow for token generation and even if I pass member collection object, receiving same error. And Azure app is single tenant;

Response screenshot below:
Wolken Software Ltd 0 Reputation points

2023-07-31T14:18:59.6166667+00:00

Facing same error with authorization flow and on behalf of flow access tokens'
Wolken Software Ltd 0 Reputation points

2023-07-31T14:20:40.49+00:00

Adding to above, GET APIs are working fine, i am able to get team data using same access token

Answer 2

CarlZhao-MSFT 46,406

Hi @Wolken Software Ltd

Make sure the target user has an O365 license, which is required to create a team.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Wolken Software Ltd 0 Reputation points

2023-08-01T07:05:23.8866667+00:00

Hi , Let me check this, But the client has access to the MS team app. They are using it for a long time.
CarlZhao-MSFT 46,406 Reputation points

2023-08-02T07:34:27.1733333+00:00

Hi @Wolken Software Ltd

I don't think the target user will be able to list team apps without O365 license, please double check if the target user has O365/MS365 license.

Share via

MS Graph - team create API returns 403 Forbidden error without proper error message

2 answers

Your answer